How do I verify the catpcha

[Wavetek]

Hi guys,

I have an email form on a website that sends the form data to an external php file (contact-form-handler.php) I have recently tried to add a captcha however I have been unsuccessful in getting the external php file to check if the captcha code was entered correctly.. At the moment it says that it is incorrect even when I enter the correct code. The website is ********

 

The form code:

               <form method="POST" name="contact_form" action="/templates/onlinespark/contact-form-handler.php">
                    <label for='name'>Name: </label>
                    <input type="text" name="name" value='<?php echo htmlentities($name) ?>'>
                    <label for='email'>Email: </label>
                    <input type="text" name="email" value='<?php echo htmlentities($visitor_email) ?>'>
                    <label for='phone'>Phone: </label>
                    <input type="text" name="phone" value='<?php echo htmlentities($phone) ?>'>
                    <label for='message'>Message:</label>
                    <textarea name="message" rows=8 cols=30><?php echo htmlentities($user_message) ?></textarea>
                    <label><img src="/templates/onlinespark/captcha.php"></label>
                    <?php $salt = 'some-random-text'; ?>
                    <input type="text" name="code" />
                    <input type="hidden" name="code_key" value="<?php echo sha1('Text in the image' . $salt); ?>" />
                    <input type="submit" value="Submit" name='submit' class="quoteButton">
                </form> 

The external php file:

 <?php
        if (isset($_POST['submit'])) {
        $error = "";

        if (!empty($_POST['name'])) {
        $name = $_POST['name'];
        } else {
        $error .= "You didn't type in your name. <br />";
        }

if (!empty($_POST['phone'])) {
        $name = $_POST['phone'];
        } else {
        $error .= "You didn't enter your phone. <br />";
        }

        if (!empty($_POST['email'])) {
        $email = $_POST['email'];
         if (!preg_match("/^[a-z0-9]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$/i", $email)){
         $error .= "The e-mail address you entered is not valid. <br/>";
         }
        } else {
        $error .= "You didn't type in an e-mail address. <br />";
        }

        if (!empty($_POST['message'])) {
        $message = $_POST['message'];
        } else {
        $error .= "You didn't type in a message. <br />";
        }

$salt = 'some-random-text'; // same salt string as in the original file
if ($_POST['code_key'] == sha1($_POST['code'] . $salt)) {
// captcha is correct
} else {
$error .= "The captcha code you entered does not match. Please try again. <br />";
}

        if (empty($error)) {
        $from = 'From: ' . $name . ' <' . $email . '>';
        $to = "mail@mail.com.au";
        $subject = "New contact form message";
        $content = $name . " has sent you a message: \n" . $message;
        $success = "<h3>Thank you! Your message has been sent!</h3>";
        mail($to,$subject,$content,$from);
        }
        }
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>ERROR - Please fill in all fields!</title>
</head>
<body>
<!-- This page is displayed only if there is some error -->
<h1>ERROR - Please go back and fill in all fields!</h1>
<?php
            if (!empty($error)) {
            echo '<p class="error"><strong>Your message was NOT sent<br/> The following error(s) returned:</strong><br/>' . $error . '</p>';
            } elseif (!empty($success)) {
            echo $success;
            }
        ?>
</body>
</html>

Edited June 19, 2013 by gizmola

[gizmola]

I don't see where the form synchronizes with the captcha image. You have this code:

 

<?php echo sha1('Text in the image' . $salt); ?>

I would expect to see something like:

 

<?php echo sha1($captchaText . $salt); ?>

It's really not clear what syncs the image produced by /templates/onlinespark/captcha.php with the plaintext version of that image in your script, which is something you would need for this to scheme to work.

[Wavetek]

Ah yes, to be quite honest I'm really not sure how to do that. I origonally had areyouahuman.com installed on the page, however the client did not want it and wanted a captcha instead, so I'm trying to get this captcha to work as it's small and doesn't ruin the design.

 

PHP is certianly not my strong point, is there any chance you could help me out?

 

Cheers!

[gizmola]

I can't really help you if I don't know what library or component you are using to generate the captcha image.

[Wavetek]

Oh, sorry here is the code for the captcha.php file which generates the image:

<?php 
session_start(); // start a session
$image = imagecreate(50, 20); //create blank image (width, height)
$bgcolor = imagecolorallocate($image, 0, 0, 0); //add background color with RGB.
$textcolor = imagecolorallocate($image, 255, 255, 255); //add text/code color with RGB.
$code = rand(1000, 9999); //create a random number between 1000 and 9999

$_SESSION['code'] = ($code); //add the random number to session 'code'
imagestring($image, 10, 8, 3, $code, $textcolor); //create image with all the settings above.
header ("Content-type: image/png"); // define image type
imagepng($image); //display image as PNG
?>

Thanks!

[Wavetek]

Sorry for the bump, but I really need to get this fixed.

[kicken]

You need to change the way your code is generated. For PHP file containing the form should generate the code, then have the image generation script read the code. Eg:

<?php
//...
$_SESSION['code'] = mt_rand(1000, 9999);
?>
<img src="captcha.php">

//...
imagestring($image, 10, 8, 3, $_SESSION['code'], $textcolor); //create image with all the settings above.
header ("Content-type: image/png"); // define image type

Then to verify, compare what they enter with $_SESSION['code'] and see if they match.

[Wavetek]

Hmm that didn't work, it just made the text dissapear from the captcha, I'm willing to pay someone to help me out with this.

 

Cheers

[Wavetek]

bump

[mac_gyver]

if your captcha.php image code was working and saved the $code value to the $_SESSION['code'] variable, all you need to do is check in your form processing logic if the submitted value the user entered in the form is not empty and that it is not exactly equal to the value in the $_SESSION['code'] variable,

 

all the code you have leftover that is passing the "code_key" as a hidden field (which was insecure anyway) and testing that value with the submitted code from the user would go away, unless you are trying to confuse bot scripts by tricking them to submit that hidden field's value.

[Wavetek]

Any chance you could help me out with some code to make it work?

[mac_gyver]

not very likely.

 

you are producing a value, passing that value through a session variable, and comparing that value with another value that was submitted from a form. make an attempt at performing those steps. the first two steps are already in your code and wherever you found the captcha.php image code probably contained examples of the rest of what is needed.

[Wavetek]

This is the tutorial I got the code from:
http://devingredients.com/2011/03/building-a-php-contact-form-with-captcha-from-scratch/

It seems nothing is different from my code other than they are using a self executing script, for some reason my server wont allow this so I need to do it with an external php file to send the email.

 

Any ideas?

[Wavetek]

I got it working! All I had to do was add:

 session_start();

to the external PHP file.

Thanks for the help guys.

 

Could a moderator please remove the URL from the first post?

 

Cheers!

Edited June 17, 2013 by Wavetek